Security Basics mailing list archives

RE: Key Loggers

From: "Scan America" <ghewitt () scan-america com>
Date: Mon, 27 Oct 2003 15:52:27 -0600

Ivan - 

I have had success finding and isolating Key Logging software with
commercial anti-spyware products.  The one I am using is Spy Sweeper
(www.webroot.com)  Keyloggers are explicitly sought, as well as variants
(called traces).   I "swept" one machine, only to find over 800 spyware
instances, with nearly 3000 "traces."   Basically, this means there were 800
different bugs and almost 3000 different forms of those 800.    There is one
I particularly despise, called Gator, which implants itself in the Registry,
the startup programs and executables that are started by other Windows
programs.  It is a way of re-seeding itself and most humans won't be able to
root it out of the registry.

It also will seek out other hard-to-find instances of "malware" such as
in-memory spyware and cookies of all types.  For cookies you know you want
to keep, you can tell the product to "always keep" certain cookies.  Spyware
that is caught is quarantined and you must go there to delete the
references.  In the Quarantine folder, yyou can see the explicit path to the
spyware trace and the exact form of spyware it is infected with.   At that
time you can delete it or restore it.

Note also that I do not sell, re-sell or represent webroot in any form.   I
am sure there are other products that also do a good job.  

This product works like AntiVirus software, in that it provides a
subscription to their server-based list of spy-traces and you periodically
update the spy definitions.  Currently it has 13,012 known spy traces.  Like
AV software, you can test a drive or drives for spyware and/or schedule
regular sweeps to run at specific periods of time.

Gary M Hewitt, Pres
Scan America
Brookfield, WI

----------------------------------------------------------------------------
-----------------------

-----Original Message-----
From: Alfred.Diggs () STIS com [mailto:Alfred.Diggs () STIS com] 
Sent: Friday, October 24, 2003 6:17 PM
To: ivan.hernandez () globalsis com ar; s7726 () yahoo com
Cc: security-basics () securityfocus com
Subject: RE: Key Loggers


A few ways to find keyloggers.

1. Check your task manager for anything out of the ordinary. (after a few
years of windows you know all the running apps.)

2. Run a firewall on your computer like zonealarm as it will block (or at
least ask) and email servers from sending out email. (most keyloggers have a
build in email server)

3. You can try writing some funky word and then searching for it but most
keyloggers encrypt the data and it may not be found easily (be mindful if
while your typing your special word you change a character it will be
recorded as   myspecii<BS>alword   BS=BackSpace to kill the extra i)



Good Luck


Alfred


-----Original Message-----
From: Ivan Hernandez [mailto:ivan.hernandez () globalsis com ar] 
Sent: Friday, October 24, 2003 3:56 PM
To: s7726 () yahoo com
Cc: Security-Basics
Subject: Re: Key Loggers

s7726 wrote:

Is there a way to determine if a running process is logging keys? Can 
you say look at whether or not it is implementing hooks or something? I 
am interested to know if someone has put a key logger on a few 
machines.


Thank you


S7726 at yahoo dot com


I would first (in doubt) disconnect the machine from the network and 
start analysing the traffic, then search for any changing file each time 
you press a key !
also writing a strange word and searching for it can be useful sometimes
ivan hernandez


---------------------------------------------------------------------------
Visual & Easy-to-use are not words that you think of when talking about 
network analyzers. Are you sick of the three window text decodes? Download
ClearSight Network's Analyzer and see a new network analysis tool that 
makes the complex - easy
http://www.securityfocus.com/sponsor/ClearSightNetworks_security-basics_0310
21
----------------------------------------------------------------------------

---------------------------------------------------------------------------
Visual & Easy-to-use are not words that you think of when talking about 
network analyzers. Are you sick of the three window text decodes? Download
ClearSight Network's Analyzer and see a new network analysis tool that 
makes the complex - easy
http://www.securityfocus.com/sponsor/ClearSightNetworks_security-basics_0310
21
----------------------------------------------------------------------------



---------------------------------------------------------------------------
Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE
The Presidio integrates PGP data encryption and XML Web Services security to
simplify the management and deployment of PGP and reduce overall PGP costs
by up to 80%.
FREE WHITEPAPER & 30 Day Trial -
http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027
----------------------------------------------------------------------------

Current thread:

RE: Key Loggers s7726 (Oct 24)
- Re: Key Loggers Ivan Hernandez (Oct 24)
  - Re: Key Loggers Eric Hagen (Oct 27)
    - Re: Key Loggers Al Sez (Oct 28)
    - Re: Key Loggers ~Kevin Davis³ (Oct 29)
- <Possible follow-ups>
- RE: Key Loggers Alfred . Diggs (Oct 27)
  - RE: Key Loggers Scan America (Oct 27)
- RE: Key Loggers s7726 (Oct 27)
- Re: Key Loggers Rense Buijen (Oct 27)